Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
New Member

Help blocking smart devices from using VPN

Hello,

I am looking for a solution to block smart devices from connecting to our network via VPN. Our current VPN solution is ASA5520 and we are using Cisco ACS for user authentication. We use Cisco VPN client only, no anyconnect or SSL VPN.

Managment is looking for a way we can stop smart devices from using VPN clients to connect and only allow laptops/desktops to connect.

Does anyone have a way we can do this via ACS or another method?

1 ACCEPTED SOLUTION

Accepted Solutions

Re: Help blocking smart devices from using VPN

Worring - I block iPhones & iPad's all around my global networkwith 100% accuracy with a few simple lines of config:-

group-policy <> attributes

client-access-rule 1 deny type "iPhone OS" version *

client-access-rule 2 permit type * version *

As it actually works on the device OS - not the Cisco VPN Client version.

10 REPLIES

Re: Help blocking smart devices from using VPN

You can do this to a point, you can define the flavour of vpn client that is able to connect, use your favourite search engine for "client access rules"

Sent from Cisco Technical Support iPad App

New Member

Re: Help blocking smart devices from using VPN

Thanks but the client access rules will not solve this problem. I just connected with my iphone, it has a built in Cisco VPN client as part of the apple iOS......I was thinking more along the lines of being able to deny MAC tables based on manufacturer.

The domain membership idea might be worth looking into as well for us...

Re: Help blocking smart devices from using VPN

Worring - I block iPhones & iPad's all around my global networkwith 100% accuracy with a few simple lines of config:-

group-policy <> attributes

client-access-rule 1 deny type "iPhone OS" version *

client-access-rule 2 permit type * version *

As it actually works on the device OS - not the Cisco VPN Client version.

New Member

Re: Help blocking smart devices from using VPN

Ok I will try it again but according to this documentation the type must match what is displayed in the show vpn-sessiondb remote, when I do that command all I see is type ipsec....nothing about iOS or client version numbers.:

version

version Identifies the device version via free-form strings, for example 7.0. A string

must match exactly its appearance in the show vpn-sessiondb remote

display, except that you can use the * character as a wildcard.

Re: Help blocking smart devices from using VPN

You should see something like "Client Type  : WinNT" if you see nothing - then the device is remote is not sending the remote device type.

New Member

Help blocking smart devices from using VPN

Confirmed that works!! I was able to prevent my iphone from connecting:

Tunnel Rejected: Client Type or Version not allowed.

Thanks for the help...one last question for you. Is there a list of common strings for the different OS types that you can block using this command?

I don't understand how the ASA knows what type of OS is connecting. The command "show vpn-sessiondb remote" does not have any client or os information listed...so how would I know which parameters to block for other smart devices?

Help blocking smart devices from using VPN

To be honest - I have no clue, I just read the command ref guide, then looked at the reported client type - and wrote my config with that, also with a wildcard....and it works for me!!!!

HTH>

New Member

Help blocking smart devices from using VPN

If I check active VPN sessions using ASDM it shows me client type!!


Thanks for the help!

Help blocking smart devices from using VPN

np glad to help.

New Member

Re: Help blocking smart devices from using VPN

Hi Rod. I have a similar challenge using ACS 5.2 ?   Haven't tried yet, but my plan is for the ACS (using RADIUS) to verify the device is a member of the domain, in my case I want to control IP/subnet pool depending on domain membership. Hope someone has a good solution. Solution would also apply to our wireless device access.

-Keith

708
Views
0
Helpful
10
Replies
CreatePlease to create content